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1. Introduction 

In the past few years, there has been considerable research on concurrency control, including 
both systems design and theoretical study. The probfem i$ roughly as follows. Data in a large 
(centralized or-distributed) database is assumed to be accessible to users via transactions, each of 


‘which is a sequential program which can carry out many steps accessing individual data objects. It is 


important that the transactions appear to execute "atomically", i.e. without intervening steps of other 
transactions. However, it is also desirable to permit as much concurrent operation of different 
transactions as possible, for efficiency. Thus, it is not generally feasible to insist that transactions run 


‘completely serially. A notion of equivalence for executions is defined, where two executions are 


equivalent provided they "look the same” to all transactions and to all data objects. The serializable 
executions are just those which are equivalent to serial executions. One goal of Concurrency. control 
design is to insure that all executions of transactions be serializable. 


Several characterization theorems have been proved for serializability; generally, they amount to 
the absence of cycles in some relation describing the dependencies among the steps of the 
transactions: A very large number of concurrency control algorithms have been devised. Typical 
algorithms are those based on two-phase locking jEGLT], and those based on timestamps [La]. 
Although many of these algorithms are very different from each other, ‘they can all be shown to be 
correct concurrency control algorithms. The correctness proofs depend on the absence-of-cycles 
characterizations for serializability. | 


More recently, it has been suggested {Re, M, LiS} that some additional structure on transactions 
might be useful for programming distributed databases, and even for programming more general 
distributed systems. The suggested structure permits transactions to be nested. Thus, a transaction 
is not necessarily a sequential program, but rather can consist of (sequential or concurrent) sub- 
transactions. The intention is that the sub-transactions are to be serialized with respect to each 
other, but the order of serialization need not be completely specified by the writer of the transaction. 
This flexibility allows more concurrency in the implementation than would be possible with a single- 
level transaction structure consisting of sequential transactions. The general structure allows 
transactions to be nested to any depth, with only the leaves of the nesting tree actually performing 


accesses to data. 


Transactions are often used not only as a unit of concurrency, but also as a unit of recovery. Ina 
nested transaction structure, it is natural to try to localize the effects of failures within the closest - 
possible level of nesting in the transaction nesting tree. One is naturally led to a style of programming 
which permits a transaction to create children, and to tolerate the reported failure of some of its 


children, using the information about the occurrence of the failures to decide on its further activity. 
The intention is that failed transactions are to have no effect on the data or on other transactions. 
This style of programming is a generalization of the "recovery block” style of [Ra] to the domain of 
concurrent programming. Indeed, this style seems to be especially suitable. for programming 
distributed systems, since many types of failures of pieces of programs are likely to. occur in such 
systems. 


Reed [Re] has designed an algorithm which uses multiple versions of data to implement nested 
transactions. Moss [M] has abstracted away from Reed's specific implementation of nested 
transactions, presenting a general description of the nested transaction model. He has also 
developed an alternative implementation of the nested transaction model, based on two-phase 
locking. This model and implementation are fundamental to the Argus distributed computing 
language, now under development by Liskov's group at MIT [LiS]. 


The basic correctness criteria for nested transactions seem to be clear enough, intuitively, to 
allow implementors a sufficient understanding of the requirements for their implementation. 
However, some subtle issues of correctness have arisen in connection with the behavior of failed 

sub-transactions. For example, the Argus group. has decided that a pleasant property for an 
implementation to have is that all transactions, including even "orphans" (subtransactions of failed 
transactions), should see "consistent" views of the data (i.e. views that could occur during an 
execution in which they are not orphans). The implementation goes to considerable lengths to try to 
insure this property, but it is difficult for the implementors:to be sure that they have succeeded. 


It seems clear that some basic groundwork is needed before such properties can be proved. 
Namely, the theory already developed for concurrency control of single-level transaction systems 
without failures needs to be generalized to incorporate considerations of nesting and failures. The 
model needs to be formal, in order to allow careful specification of all the correctness requirements : 
the simple and intuitive ones, as well as the rather subtle ones. 


This paper begins to develop this groundwork. First, a simple "action tree" structure is defined, 
which describes the ancestor relationships among executing transactions and ‘also describes the 
views which different transactions have of the data. A generalization of serializability to the domain of 
nested transactions with failures, is defined. A characterization is given for this generalization of 
serializability, in terms of absence of cycles i in an appropriate dependency relation on transactions. A 
slightly simplified version of Moss’ algorithm is presented in detail, and a correctness proof i is given. 


The correctness proof is complete, detailed, and rigorous. Its style appears to be quite interesting 


‘in its own right. Producing such a proof was a very difficult task; the main issues that made it so 
- difficult were the nesting of transactions and the possible failures of subtransactions. The initial 


attempts to develop such a proof led to extremely complicated, non-modular constructions. 
Gradually, after we had tried for many months to organize the proof, the uniform genera! proof 
structure presented in this paper began to emerge. This structure allows the proof to be decomposed 
in a very naturat way. Without this structure, it is doubtful that we would have been able to complete a 
proof at all. (We know of few comparably successful complete proofs for difficult distributed 
algorithms.) 


The proof is based on certain algebras, which we call "event-state" algebras. An event-state 
algebra is an abstract description of a computing system and the protocol that governs its behavior. 
The elements of the algebra are states of the computing system. An operation of the algebra is an 
"event" of the system, i.e. a computation step; it transforms a‘state to another'state. The operations 
are only partially defined; in correspondence with the fact that.a step might not be applicable to all 
states. The rules that specify when an operation is defined correspond. to the algorithm or protocol 
that controls the execution of the system. 


Another important concept for our proof is the netion of a mapping between algebras. It is useful 
to describe a computing system on several different levels of abstraction, i.e. as several distinct 
algebras. A mapping from an algebra A to another algebra & is a “simulation” of B by A provided 
that every valid computation of A is mapped to a valid computation of $. Thus, 4 is, in a sense, an 
"implementation" of B. 


The approach taken in this paper to a correctness proof of Moss’ algorithm is the following. The 
system governed by the algorithm is described by a succession of algebras, each one describing 
more specific details about the algorithm and its implementation. tn te highest level algebra, the only 
precondition for the applicability of a step (an operation) is-that # preserve global correctness. This 
algebra is quite far from the algorithm itself. As a matter of fact, this algebra represents “what needs 
to be achieved" by the system. Successive algebras. get closer to the algorithm, i.e. to “how it is 
achieved". Showing the existence of a simulation mapping between each pair of successive levels, is 
the heart of the correctness proof. 


One novel aspect of the simulations we use, different from the usual notions of "abstraction" 
mappings, is that our simulations map single lower level states to sets of higher level states, rather 
than just single higher level states. (We call them "possibilities" mappings.) This extra flexibility 


seems quite convenient for many implementations, allowing the lower level algebra sometimes to 
contain less detail than the higher.level algebra. For example, it might be easy to prove correctness 
of an algorithm which. maintains lots of auxiliary data. The correctness of an algorithm which 
contains less detail could -be proved, in our model, by showing that it simulates the algorithm which 
maintains the auxiliary data. 


While possibilities mappings are convenient for proving correctness of ordinary centralized 
algorithms, they produce their greatest payoff for distributed algorithms. Namely, a distributed 
algorithm is described as a special case of an event-state algebra, a "distributed algebra”. A 
distributed algebra has a set of “components”. The state set for the algebra is just a Cartesian 
product of local states, one for each component. The events are partitioned among the set of 
components, according to which component is assumed to "perform" the event. Event domains and 
transitions are defined componentwise. To show that a distributed algebra simulates some other 
“abstract” algebra, it suffices to define an appropriate possibilities mapping from the global states of 
the distributed algebra, to sets of states of the abstract algebra. It turns out to be extremely natural to 
describe such a mapping by first describing a possibilities mapping from the local state of each 
component to sets of abstract states. The image-of a local state under this mapping just represents 
the set of possible global states consistent with the knowledge of the particular component. The 
possibilities for the entire distributed algebra are simply obtained by taking the intersection of the 
possibilities consistent with the knowledge of all the components. 


It appears that this technique extends to give natural preofs of many algorithms, especially 
distributed algorithms, and thus warrants further investigation. Goree [G] presents a slightly more 
general development of the technique than is presented in this paper, but more remains to be done. 


The concurrency control definitions given in this paper express the most fundamental correctness 
requirements, but not subtle conditions such as correctness of orphans’ views. issues of fairness and 
eventual progress are not addressed, but rather only safety properties, serializability in. particular. 
Future work involves extending the framework presented here to allow expression of these other 

_ Properties, and to allow correctness proofs for the difficult algorithms which guarantee these 
properties. Some further work in these directions has. already heen carried out: Goree [G] gives a 
definition for correctness of orphans’ views, and has given a correctness proof for a complicated 
algorithm used in the implementation of Argus to maintain correctness of orphans’ views in the face 
of transaction aborts. 


A related recent paper [B] also addresses the problem of proving correctness of algorithms 


implementing nested transactions. However, that paper does not address issues of failure and 
recovery, which are primary considerations of the present paper. Also, the kind of nesting they 
consider appears to be somewhat different from ours: it appears to be designed primarily for 
describing levels of data abstraction. Finally, the proof techniques of [BBGLS] are quite different 


from ours. 


Although our variant of Moss’ algorithm is described completely in this paper, we urge the 
interested reader to read Moss’ presentation in [M]. His presentation gives useful background and 
context for the algorithm, as weil as a much more intuitive description ‘of the algorithm than is 
presented here. 


2. Event-State Algebras 

In this section, we describe the event-state algebra framework. This framework is used in the later 
sections to organize the formal correctness proof for Moss’ algorithm. The algorithm is described ina 
series of five levels, each of which is described as an event-state algebra. | 


_ The reader who is mainly interested in the formal model for nested transactions, and in Moss’ 
algorithm, rather than in proofs of concurrent algorithms, can safely skim the contents of this section. 


2.1. Algebras and Simulations 

We begin with the basic algebra definitions. An event-state algebra A = <A, o, IID, consists of a 
set A of states, an element o € A, the initial state, and a set I of partial unary operations (the events). 
In this paper, we will usually refer to an event-state algebra as simply an algebra. 


Next, we give standard definitions for computability concepts. For any event 1, we let domain(z) 
denote the set of states for which w is defined. Let a be a state, and let ® = (7,... 4). be any finite 
sequence of events chosen from II. Then ® is said to be valid from a provided b = 
(m7, ,(-.-(9,(@))...)) is defined (i.e. provided that m7, 4(- Aw ,(a)).. .) isin domain(s), for for alli, 1 Sis 
k). In this case, b is called the result of applied toa. An infinite Sequence of events is said to be 
valid from a provided all its finite prefixes are valid from a. We say that © is valid provided it is valid 
from o, and the result of © is defined to be the result of ® applied to g. We write ak b provided there 
is some finite ®, valid from a, for which b is the result of © applied to a. bi is computable provided o F- 
b. 


In order to decompose our proof into levels of abstraction, we require a definition of "simulation" 
of an algebra A = <A, a, II by another algebra A’ = <A’, a’, I>. In this paper, we present a very 


weak definition. An interpretation of A by 4’ is a mapping h: IT' + Il U {A}. (Here, A represents a 
null event.) We extend h to a homomorphism mapping event.sequences of A’ to event sequences of 
A in the obvious way (deleting occurrences of A). An interpretation, h, is a simulation of A by A’ 
provided that h(®’) is a valid event sequence for .4 whenever ©’ is.a valid event sequence for A’. 


We note that these definitions do not rule out certain trivial situations. We have not imposed the 
general requirement that 4’ include a representation of every event in 4. We have also not imposed 
any requirements that events of ’ be defined on large domains. Thus, our techniques are not 
powerful enough to prove that A’ does everything which is required to implement A correctly; rather, 
we assume that J’ is given, and we are to prove that everything it does is correct for A. We believe 
that the more powerful techniques required to insure the stronger properties require extra machinery, 
and a more sophisticated general theory than we wish to present here. 


The first lemma gives a basic composition result. This lemma justifies our composition of 
simulation results for adjacent levels, to prove a simulation result for non-adjacent levels. 
Lemma 1: Assume that A, A’ and A” are algebras, that h is a simulation of A by A’ 
and h’ is a simulation of A’ by A”. Then h ° h’ is a simulation of A by A”. . 
Proof: Straightforward. | . 


Oo 


2.2. Possibilities Mappings 

Our basic method for proving correctness is showing that simulations exists between adjacent 
members of a sequence of algebras. Therefore, we need a tool that can be used to show that a 
mapping is a simulation. In this subsection, we give a sufficient condition fora mapping h from A’ to 
A to be a simulation. The condition involves defining a correspondence between states of the two 
algebras, in addition to events. It turns out to be most convenient, for the reasons discussed in the 
Introduction, to allow the state mapping to map a single state of A’ to a set of states of A rather than 
just to a single state. The states in such a set are called “possibilities” - Le., the "possible" states 
corresponding to a given state. If we think of wu as a’ “concrete” algebra, and A as amore "abstract" 
algebra, then we see that a possibilities mapping allows single “concrete” States to be mapped to sets 
of "abstract" states rather than just single abstract states. 


Let h: A’ U IT’ - SA) U IT U {A} be such that hea’ € HA) for all a’ € A’, and h restricted to IT’ is 
an interpretation, i.e. h(7’) € FI U {A} for all a’ € [1’. (Here, Pdenotes the power set.) Then h is a 
possibilities mapping from A’ to A provided the following are true: 


(a) o € h(o’). 


Assume a and a’ are computable in 4 and JA’, respectively, and a € h(a’). Assume qm’ € Il’. 


Assume a’ € domain(2’) and b’ = 2’(a’). 
(b) If h(a’) = » € TI, thena € Seman 
(c) Ifh(#’) = » € 11, then w(a) € h(b’). 
(d) If h(@') = A, then a € h(b’). 


Property (a) says that the initial state of A is among the possibilities for the initial state of J’. 
Property (b) says that an event is only performed in A’ when its image event can be performed in A. 
Properties (c) and (d) say that events performed in .4’ preserve possibilities. The following diagram 
should be helpful in understanding (b) and (c). A simitar diagram can be drawn to illustrate (d). 


Figure 1: A Property of Possibilities Maps 


The following lemmas show that any possibilities mapping is a simulation. 

Lemma 2: Let h be a possibilities mapping from A’ to A. If ©’ is a valid event 
sequence for A’, and h(®') = ©, then is a valid event sequence for A. In addition, if %’ is 
finite, a’ is the result of ’ and a is the result of ®, then a € h(a’). 

Proof: By induction on the length of %’. 


oO 
Lemma 3: Any possibilities mapping from ’ to is a simulation of A by J’. 


Proof: Immediate by Lemma 2. 


oO 


2.3. Distributed Algebras 

Next, we define a special kind of event-state algebra, called a "distributed algebra”. A distributed 
algebra is one which can be decomposed into components in a simple way: the states are Cartesian 
products of states for the components, each event is assumed to be originated by some particular 
component (although it can affect other components), and the definability and effects of events are 
locally determined. Such an algebra provides a natural structure for describing distributed 
algorithms. Processors in a network and message systems are typical examples of components in 


such a decomposition. 


An algebra, A= <A, a, IT, is said to be distributed over a finite index set | using d, provided that A 
is the Cartesian product of sets A, i € |,d is a mapping, d: FI -— |, giving the “doer” of each event, and 
the following two conditions are satisfied. 


- (Local Domain) Let i = d(m). If a,b € A anda, = iy then a € domain(s) if and only if b € 


domain(#). 
- (Local Changes) If a, b € domain(#), a’ = 2(a), b’ = a(b) and a, = b,, then a’, = b'. 


The local domain property says that the state of the doer of an event determines the definability of 
that event. The local change property says that the changes caused by an event are defined 
componentwise. Note that in the local change property, the component i need not necessarily be the 
doer of 1; we permit other comporients to be affected by 7, but assume that the effect is uniquely 
determined by 2 and the state of the component. Strictly speaking, we could have omitted mention of 
both of these properties in this paper, since they are not needed to prove the one simple result we 
obtain (Lemma 4) about distributed algebras. However, the properties seem to describe the locality 
structure of distributed algorithms quite accurately, and so we present them in anticipation of further 
study. 


It happens that there is a particularly natural way to define a possibilities mapping from a 
distributed algebra to another algebra. Namely, we define a "local mapping”, from the local state of 
each component of the distributed algebra to a set of abstract states. The result of this mapping 
should be thought of as the set of possible abstract states, as far as a particular component can tell 
from its local knowledge. The mapping from a global state of the distributed algebra can then be 
defined to yield the intersection of the images of all the component states. The conditions we require 
for local mappings are chosen to be sufficient to guarantee that the derived global mapping is a 
possibilities mapping. 


Let A’ = <A’, o’, Il’> be an algebra, distributed over | using d. Let A = <A, a, I> be any algebra. 
Let h be an interpretation from A’ to A. For eachi € |, let hi: A’ — SA) be such that h; depends on A’ 
only - i.e. ifa, = b, then h(a) = h,(b). Then we say that h and h,, i € |, form a local mapping from 4’ to 
A provided the following conditions are satisfied. 


(a) For alli € l, o € h(a’). 


Fix any i € | (for properties (b)-(d)). Assume a and a’ are computable in A and J’, respectively, 
and a € h(a’). Assume a’ € fl’, d(w') = i. Assume a’ € démain{z'), and b’ = '(a’). . 


(b) tf h(w') = » € FI, then a € domain(s). 

Fix (for properties (c) and (d)) any j € |. (This | can be the same as or different from I.) 
(c) Assume h(#') = w € Ianda€ h(a’). Then x(a) € h(b’). 

(d) Assume h(n’) = A and : €E hi{a’), Then a € h(b’). 


That is, (a) says that the initial state of J is in the set of possibilities for each component's initial 
state. Property (b) says that an event is only performed in A’ when its doer knows that its image event 
can be performed in A. Properties (c) and (d) consider the situation from the point of view of an 
arbitrary component j. Property (c) says that an event with doer i preserves possibilities at component 
j. Property (d) is analogous to (c), for events whose images are null events. 


The following figure illustrates property (b). 


a’ b’ 


Figure 2: A Property of Local Mappings 
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The following figure iliustrates property (c). 


Figure 3: Another Property of Local Mappings 
The following lemma shows that local mappings yield possibilities mappings. 
Lemma 4: Let A and A’ = <A’, o', I> be algebras, where 4’ is distributed over 
1. Assume that h and h,, i € | form a local mapping from A’ to A. Extend h to A’ U IT’ by 
defining h(a’) = 1, € {D{a’).. Then h is a possibilities mapping from 1’ to A (and therefore 
a simulation of A by A’). 
Proof: We check the four properties of the possibilities mapping definition. 


(a) To see that o € h(a’), it suffices to show that o € h(o’) for alli € |. But this is exactly 
the statement of property (a) of the local mapping definition. 


Now we assume the hypotheses supplied for parts (b)-(d) of the possibilities mapping 
definition. Assume also that d(m') = i. 


(b) Since a € h(a’), it is obvious that a € h(a’). Property (b) of the local mapping 
definition implies that a € domain(7). 


(c) In order to show that (a) € h(b’), it suffices to fix an arbitrary j € ! and show that 
m(a) € h(b’). Since a € h(a’), the needed property follows from (c) of the local mapping 
definition. 


(d) It suffices to show that a € hi(b’) for any j € |. This follows as in the preceding 
argument from (d) of the local mapping definition. 


oO 


If the definitions in this section are to be used in correctness proofs for the widest possible class 
of algorithms, they will probably need to be generalized. In particular, it seems appropriate to permit 
single events of a more concrete algebra to interpret sequences of events of a more abstract algebra. 
(See Goree [G] for definitions and uses for this generalization.) Also, allowing each algebra to have a 
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set of initial states rather than just a single initial state would probably be useful. Since we do not 
need these generalizations here, we do not make these extensions. 


3. Action Trees 

In this section, we provide the basic definitions needed to describe properties of nested 
transactions. The definitions in this section describe a particular data structure, called an “action 
tree", which provides a natural representation of nested transactions, the relationships between 
them, and their views of data. We define “serlalizability" in terms of action trees. We also prove 


several very basic lemmas about the definitions. 


We caution the reader that there are many definitions in this section, and he should not try to 
remember them ail. Rather, we suggest that he read the definitions once for familiarity, and then use 
the section for later reference. 


In the rest of the paper, we often refer to transactions as just "actions", for brevity. This departure 
from the usual conventions of database theory has been made for consistericy with the Argus work. 


3.1. Objects and Actions 

The system is assumed to contain a set of data objects, upon which the nested actions operate. 
We begin with some definitions for objects. Let obj be a universal set of data objects. For each x € 
_ Obj, let values(x) denote the set of values x can assume, including a distinguished initial value init(x). 
A value assignment is a total mapping, f, from obj to values(obj), haying the property that f(x) € 
values(x) for all x € obj. 


Next, we give basic definitions for actions. In this paper, we have chosen to avoid modelling 
transactions explicitly, with a particular programming model. Rather, we have attempted to extract 
from such a model, just that information which is needed for concurrency contro! theory. 


Let act be a universal set of actions. Let U be a distinguished-action. We assume that the actions 
are configured a priori into a tree, representing their nesting, relatienship, with U as the root. For 
every A € act - {U}, let parent(A) denote a unique parent action for A. Let siblings denote {(A,B) € 
act: parent(A) = parent(8)}. If A € act, let children(A) denote {B €-act: parent(B) = A}. If A,B € 
act, let lca(A,B) denote the least common ancestor of A and B. If A € act, fet desce(A) (resp. anc(A)) be 
the set of descendants (resp. ancestors) of A. Let proper-desc(A) (resp. broper-anctA)) be the set of 
proper descendants (resp. ancestors) of A. 
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It might be convenient for the reader to think of this a priori configuration of all possible actions 
into a tree as a preassigned "naming scheme" for actions. That is, the "name" of any action is 
assumed to carry within it information which locates that action in this universal tree of actions. In 
any particular execution, only some of these possible actions will be "activated". The (virtual) action 
U, the parent of all top-level actions, has been added for the sake of uniformity. Its presence provides 
a simplification in many arguments. ; 


We assume a priori determination of which actions actually access data, which objects they 
access and the functions they perform on those objects. Namely, let accesses denote the leaves of 
the tree described above. It is exactly these actions which access data. (We assume that U¢ 
accesses, so that the entire set of actions is nontrivial.) Let object: accesses —> obj be a fixed 
function. If object(A) = x, we say that A is an aacess to. x. For A € accesses, let update(A): 
values(object(A)) —+ values(object(A)) be a fixed function, describing the change made by A to Its 
object. Let sameobiect denote {(A,B) € accesses *: object(A) = object(B)}. 


It might at first appear that our model does not permit updates to depend on previous steps 
executed by a transaction. This is not our intention. Dependence on previous steps is modelled by 
our choice of a particular access: the "name" of the access is assumed to carry information about 
previous steps executed by a transaction. 


Note that the usual read and write operations of serializability theory can be regarded. as special 
cases of accesses. Namely, "read accesses" have the identity function as their associated update 
function, while "write accesses" have an associated update function which is a constant function. 


3.2. Action Trees 

Next, we give a way of describing a "snapshot" of a particuJar execution, using.a structure called 
an "action tree". An action tree can be regarded as the generalization of the log from ordinary 
serializability theory. The information captured in an action tree includes which actions have been 
“activated”, what the status of each such action is (ie. active, committed or aborted), and what value 
of its data object was seen by each access. 


An action tree T has components vertices, active, committed,, aborted, and label, where 


- vertices, is a finite subset of act, closed under the parent operation: if A € vertices, - {U}, then 
parent(A) € vertices,, (These represent the actions which have ever been created during the current 


execution.) 
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- active,, committed, and aborted, comprise a partition of vertices. (These classifications 
indicate the current status of each action that has ever been created. When a non-access action is 
first created, it is classified as active. At some later time, its classification can be changed to either 
committed or aborted. By "committed", we mean that the action is committed relative to its parent, 
but not necessarily committed permanently. Permanent commit of an action would be represented by 
classification of all ancestors of the action, except for U, as committed. Section 3.4 contains 
definitions and a lemma about permanent commit of actions.) 


- label|: datasteps, — values(obj), (where datastens. = committed, M accesses), with label,(A) 
€ values (object(A)). (The label of an access to an object is:intended to represent the value read by 
that access. Since the access has an associated function, the value which the access writes into the 
object is deducible from the value read, and therefore need not: be ‘explicitly represented. As a 
technical convenience, we do not assign a label to accesses until they become committed.) 


The following definitions are just convenient shorthand for concepts already defined. Let done, 
denote committed , U aborted,. Let status, be defined by status (A) = ‘active’ (resp. ‘committed’, 
‘aborted') provided A € active, (resp. committed,.,, aborted,). Let accesses, = vertices, NM accesses, 
accesses_(x) = {B € accesses,: object(B) = x}, and datasteps.(x) = {B € datasteps,: object(B) = 
x}. 


3.3. Visibility 
Next, we give a very important definition which helps to describe the "views" which actions have, 
of each other and of the data. In particular, this definition allows us to describe actions whose 
existence is intended to be Known to other actions (i.e. not masked from those other actions by 
intervening failures or active actions). For A € vertices, let visible (A) denote {B € vertices, : anc(B) 
NM proper-desc(Ica(A,B)) C committed, }. That is, visible,(A) is just the set of actions whose existence 
is potentially known to action A, because they and ail their ancestors, up to and not including some 
ancestor of A, have committed (to their parents). Action A will be permitted to see the results of 
updates made by the transactions in visible, A), and no others. For A € vertices, x € obj, let 
. Visible,(A.x) denote visible,(A)  datasteps,(x). The following lemma describes elementary 
properties of "visibility". 
Lemma 5: Let T be an action tree, A, B, C € vertices,. 
a. If € desc(A), then A € visible, (B). 


b. A € visible,(B) if and onty if A € visible, (Ica(A,B)). 


c. If A € visible,(B) and B € visible, (C), then A € visible,(C). 
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d. If A € desc(B) and C € visible,(B), then C € visible,(A). 


e. If A € desc(B) and A € visible,(C), then B € visible_(C). 


a. Immediate. 
b. Immediate from the fact that Ica(A,B) = ica(A,Ica(A,B)). 


c. Let D € anc(A) N proper-desc(Ica(A,C)). 
We must show that D € committed... 
if D € proper-desc(ica(A,B)), then the fact that 
AE visible (B) implies the. result. 
So assume that D € proper-desc(Ica(A,B)). 
It must be the case that D € anc(Ica(A,B)), 
and that fca(B,C) = Ica(A,C). 
Thus, D € anc(B) MN proper-desc(ica(B,C)), so 
the fact that B € visible,(C) implies the result. 


d. Immediate from parts a and c. 


e. Immediate from parts a and c. 
O 


A related definition allows us to describe actions which are capable of "committing up to the top 
level". If A € vertices,, then we say A is live in T provided anc(A) M aborted, = 2, and we say A is 


dead in T otherwise. 
Lemma 6: If A,B € vertices, A is live in T, and BE visible, (A), then B is live in T. 
Proof: If B is dead in T, then there exists C € anc(B) M-aborted.. We know C ¢ 
proper-desc(Ica(A,B)), since B € visible,(A).. Thus, C € anc(lea(A,B)) C anc(A), so A is 
dead in T, a contradiction. 


| 


3.4. Serializability F 
In this subsection, we develop the basic correctness condition for action trees: serializability. 


First, we define the result of applying a sequence of steps to a data object. If x € obj ands isa 
finite sequence of datasteps, then we define result(x,s) as follows: If s is the empty sequence, then 
result(x,s) = init(x). Otherwise, lets = s'A. Then result(x,s) = update(A)(resuit(x,s’)) if A involves x, 
= result(x,s’) otherwise. 
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If S is a set, and < is a total order on the elements of S, then we let <<S; $>> denote the sequence 
consisting of the elements of S, in the order given by <. 


In order to define serializability, we need to consider linear orderings of all sets of siblings in the 
action tree. Thus, let T be an action tree. A partial order p Cc siblings is linearizing for T provided p 
totally orders all sets of siblings in T. A linearizing partial order p induces a total order, induced, on 
datasteps,, in the obvious way: if A and B are datasteps, with respective ancestors A’ and B’, where 
A’ and B’ are siblings, then (A,B) € induced, , if and only if (A’,B') € p. if A € datasteps, (x) and pis a 
linearizing partial order for T, let preds, pA} denote <{B € visible, (A,x): (B,A) € induced, , and B # 
A}; induced, 2 Thus, preds, {A} denotes the sequence of datasteps whose effects on A’s object 
are supposed to be visible to A. 


A linearizing partial order p for T is said to be a serializing partial order for T provided that 
label,(A) = result(x, preds, | (A)), for all AE datasteps,(x). That is, the value actually seen by A for its 
data object is exactly the. result of the datasteps whose effects. are supposed to be visible to A. T is 
said to be serializable provided there exists some serializing partial order for T. 


In this paper, we consider serializabiity of portions of an action tree » father than an entire action 
tree. In particular, it might sometimes be useful to require seriatizability only for those actions whose 
effects become “permanent”, and not worry about those which get aborted. 


Thus, given an action tree, T, anew action tree, perm(T), is defined as follows. 
- vertices nr) = visible,(U). (Lemma 5e shows that perm(T) is.a tree:) 


- If A € vertices 
except for U.) 


perm{T) then Status oomnr)(A) = status,(A). (This status is always “committed”, 


-IFAE datasteps an then label smc) (A) = label,(A). 


The following lemma shows the useful property that all the vertices in a permanent yee are 
visible to each other. 
Lemma 7: if T is an action tree and A, B € vertices ont)! then BE visible, oemcr)(A)- 
Proof: Since B € vertices a rm(r) = visible(U), Lemma 5d-implies that B € visible,(A). 
Then B € visible lA), since the status of each vertex is the same in T and perm(T). 


| 
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In this paper, we will use the correctness condition that any tree T created by our algorithm should 
have perm(T) serializable. (It is worth noting that one of the reasons that actions might be aborted is 
that a concurrency controller has discovered that allowing an action to proceed or commit will 
corrupt serializability. Thus, there is not reason to expect complete action trees to be serializable, 


and we focus on the permanent part of the trees only.) 


3.5. Discussion 

Note that the style in which serializability is defined here constrains the implementation less than 
the type of definition used in "traditional" concurrency control theory. The earlier definitions regard 
the data as external to the concurrency control algorithm; the algorithm is to take requests for data 
accesses and translate them into actual accesses, observing appropriate rules. Generally, | the 
accesses performed by the concurrency control algorithm simply obtain the latest version of the data 
object. A clue that the earlier definitions are too constraining is that they do not apply unchanged to 
algorithms such as Reed's, which use sophisticated management of versions of the data. The earlier 
definitions require extensions [KP, BG] to handle algorithms such as Reed's. These extensions still 
regard the data as external to the concurrency control algorithm, and so the modified correctness 
conditions contain explicit information about particular "versions" of the data objects, it seems, 
however, that the appearance of serializability, in terms of the.values.seen by the accesses, is really 
all that matters - it is possible that this appearance could be preserved by some algorithm which does 
not operate in terms of versions at all. 


The less constraining approach which is taken here is to regard the data as internal to the 
concurrency control algorithm, at least for the purpose of stating the basic correctness conditions. 
Thus, the definitions introduced in this paper are intended to be applicable to algorithms which use 
single versions of data objects, algorithms that use multiple versions of data objects, as well as to 
other implementations as yet unforeseen. 


4. An Algebra Based on Action Trees 

In this section, we begin to use the event-state algebra framework. We use the set of action trees 
‘as the state set for an algebra, and define a set of standard events which we would like to allow to be 
performed on action trees. We describe each event by defining the circumstances under which the 
event is to be allowed to be performed (the bisa iil and oes changes to be made in 
the action tree (the “effect"). 


We will use this algebra as a specification of correct abstract system behavior, the first level in our 
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correctness proof. Thus, we must ensure that the definition of this algebra includes the property that 
all action trees it generates have their permanent subtrees serializable. One way of doing this would 
be to include preservation of serializability explicitly in all the preconditions. It is a little simpler 
notationally just to state the serializability condition as a global invariant, to be maintained by all 
events; thus, we follow this latter option. In terms of the algebraic model, there is an implicit 
precondition on each event stating that the result of the event satisfies the global invariant. 


We now define a set of events on action trees. That is, we define an algebra 4 = <A, a, [1>, where 
A is the set of action trees, a is the trivial action tree with the single vertex U, with status ‘active’, and 
Il contains the four kinds of events described in (a)-(d) below. We define the events as follows. First, 
we let C denote the set of all action trees, T, for which perm(T) is serializable. (In particular, o € 
C.) We place an implicit precondition on each event, stating that the result of the event is in C. Within 
this constraint, we define the domain by giving a precondition on action trees T, and use assignment 
notation to describe the effect of the event on T. 
In all events, we assume that A € act - {U}. 
(a) create A 
(a1) Precondition 
(a11) A € vertices,. 
(a12) parent(A) € vertices, - committed, 
(a2) Effect 
(a21) vertices, + vertices, U {A}. 
(a22) status,(A) + ‘active’. 
(b) commit,, A € accesses. 
(b1) Precondition 
(b11) A€ active... 
(b12) children(A} M vertices, C done... 


(b2) Effect ; : 
(b21) status_(A) +- ‘committed’. 


(c) abort, 


(c1) Precondition 
(C11I)AE active... 


(c2) Effect . 
(c21) status, (A) + ‘aborted’. 
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(d) perform, ,A € accesses, x = object(A), u € values(x) 


A,u' 


(d1) Precondition 
(d11) A € active,. 


(d2) Effect 
(d21) status,(A) + ‘committed’. 
(d22) label, (A) <— u. 


The meaning of the four events is as follows. The create a, event creates (or "“activates") a new 
action. it is required, of course, that A not be already in the tree. Its parent must be there, however, 
and must not already be committed (since a committed parent is assumed to have all of its children 
completed, and to depend on the completion of the particular set of children it had at the time of 
commit). Note that we allow A to be created after its parent has aborted. This might be reasonable in 
an implementation in which the two events occur at different nodes of a distributed system, for 
example. The effect of creating A is to add A to the tree, with status ’active’. 


The commit, event commits an active non-access action. It requires that A be active, and all its 
children be completed. The effect is to change the status to ‘commited’. The abort, event is similar, 
but there is no requirement on the children - an active action can abort at any time. 


Finally, the perform Ku event actually performs.a step on a data-object. It requires that access A 
be active, and changes its status to ‘committed’. It also records (in our action tree analog to the 
"log") the value u seen by the access. (It is unnecessary to record the value written, since that could 
be inferred from the value seen.) Note that we do not specify how the value u is supposed to be 
obtained by the perform event; it is permissible to record any value, as long as the serializability 


condition is preserved. 


We note that the only events which could cause the serializability constraint to be violated are 
commit and perform events. Thus, these are the only events for which the implicit precondition C is 
actually necessary. 


We also note that this algebra provides considerable flexibility in allowable sequences of events. 


5. Augmented Action Trees 

Now, we proceed to the second level of our proof. As before, it will be useful to define a data 
structure first, and then develop an algebra based on that data structure. The data structure to be 
used in the second level is called an "augmented action tree". It is very similar to an action tree, but 
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includes some extra information describing a sequence of versions for each data object. An 
augmented action tree is similar to a transaction conflict graph with resolution of conflicts. We stated 
earlier that we did not want to rely on definitions that depend on data versions, for our basic 
correctness conditions. However, the definitions which make specific reference to. versions are still 
useful in conjunction with the approach of this paper. Their.role is in supplying sufficient conditions 
for serializability, and thereby helping to organize correctness proofs. 


Serializability is defined for augmented action trees. It is seen that, serializability for augmented 
action trees implies serializability for corresponding action trees. . Moreover, serializability for 
augmented action trees has a cycle-free characterization similar to those in usual concurrency 
control theory. Therefore, this structure can be useful in proofs af serializability for action trees. 


Thus, it is at our second level that the interesting concurrency contral arguments occur. 


5.1. Augmented Action Tree Definitions 

An augmented action tree (AAT), T, is a pair (S,data,), where S is an action tree and data, C 
sameobject, is a partial order on datasteps, which totally orders the datasteps for each object. We 
extend action tree notation to T; for example, we write datastens, to denote datasteps.. We also 
extend the definitions of visible, live, dead, linearizina, induced, breds and serializable to T, by 
applying them to S. 


The assumed ordering on accesses to each data object imposes an ordering on siblings higher up 
in the tree. If T is an AAT, then let sibling-data, denote {(A,By € siblings: (C,D) € data, for some C € 
desc(A), D € desc(B)}. . 


We require notation for an access’ visible predecessors i in the version order. IfAE datasteps_(x), 

then let y-data,(A) denote {B € visible, (A,x): (B,A) € data, and B # A}... The follewing is a.technical 
lemma. ; 
Lemma 8: Let T be an AAT. Let p be.a linearizing partial order for T, x € obj, and A € 
datasteps,(x). Assume that ene is consistent with data,. Then preds, pA) = 
<X<v- -data,(A); data>>. . 

Proof: Straightforward. 


O 


An AAT, T, is data-serializable provided there exists p, a serializing partial order for T, with the 
additional property that induced, S is consistent with data,. Thus, T is data-serializable provided that 
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it is serializable in a way that respects the conflict resolution partial ordering. Of course, data- 


serializability for AAT’s provides a sufficient condition for serializability. 


§.2. Characterization of Data-Serializability 
The analog of the usual characterization in concurrency control theory is proved in this 
subsection. Namely, we give a characterization of data-serializability in terms of absence of cycles. 


First, we give a definition which says that the label of each access describes the correct object 
value which the access should see, if the versions of objects are ordered according to the data, 
order. Formaily, an AAT is version-compatible provided for every x € obj, and every A € 
datasteps,(x), it is the case that label,(A) = resuit(x,s), where's = <<v-data,(A); data,>>. 


The next theorem contains the characterization result. 
Theorem 9: An AAT, T, is data-serializable if and only if both of the following are true: 


a. Tis version-compatible. 


b. There are no cycles of length greater than one in sibling-data,. 


Proof: Assume T is data-serializable, and obtain p, a serializing partial order for T for 
which induced, , is consistent with data,. 
a. Let A € datasteps,(x),s = <<v- -data,(A); data;>>. Then label,(A) = 


result(x, preds, (A)), by the definition of serializability, = result(x, s), by 
Lemma 8. 


b_ sibling-data, € p, Thus, there are no cycles of length greater than one in 
sibling-data,. 


Now assume a. and b. Let p be any partial order which totally orders all siblings and is 
consistent with sibling-data,. Then p is linearizing for T, and induced, Tek is consistent with 
data,. We wifl show that p is a seriatizing partial order tor T. Let x € obj, A € datasteps, (x). 
We must show that label (A) = result(x,preds, (A)). Since T is version-compatible, we 
know that label (A) ‘m reguit(x, 8), where $= v-data,; iota ne Then Lemma 8 implies 
thats = preds, _{A), as needed. 


O 
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6. An Algebra Based on Augmented Action Trees 

In this section, we define the algebra for our second level. This algebra will be based on the set of 
AAT’s. We define events on AAT’s, analogously to the definitions for action trees. Once again, we 
carry out the definitions within the event-state algebra framework. We then prove several basic 
properties of this algebra. Finally, we show that this algebra simulates the level 1 algebra. 


The second-level algebra can be understood as describing the “abstract effect" achieved by 
locking algorithms. (We do not actually describe a locking mechanism until later levels.) The major 
accomplishment of this section involves showing that this: abstract’ effect in fact guarantees the 
required serializability condition. The argument is relatively nontrivial, ‘and is analogous to the usual 
correctness proofs for strict two-phase locking. Arguments for later levels will show that locking 
protocols actually achieve the required abstract effect. Thus, we have factored the correctness proof 
fora locking algorithm into two natural parts. 


6.1. Definitions . 

We define a new algebra A’ = <A’, o’, Il’>, where A’ is the set of AAT's, o’ is the trivial AAT which 
has a single vertex U with status ‘active’, and the events.in Fl’ correspond closely to the events of A, 
and are designated by the same names. (We will rely on context to distinguish the two cases.) The 
only differences are that there is no global constraint corresponding td C, and pe rform Aw introduces 
two additional preconditions and an additional change. These new conditions can be thought of as 
capturing the abstract effect of a variant of Moss’ locking algorithm. 

(d1) Precondition 


(d12) Let B € datasteps, (x), Blive in T. Then BE visible, (A,x). 
(d13) If A is live in T, then u = result(x,s), wheres = <<visible,(A,x); data>>. 


(d2) Effect 
(d23) data, — re U (B.A): B € datastens,()} U {(A,A)}. 


The new preconditions say that a data access A must wait long enough so that all live accesses to 
the object have been committed, up to the level which matters to A. Also, the value used in the access 
is just the one resulting from the sequence of :previous.accesses, in the given data ordering. The new 
effect just involves adding appropriate new pairs to the end of the data ordering. 
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6.2. Preliminary Results 
This section contains two straightforward lemmas. The first describes some invariants preserved 


by the events. 
Lemma 10: If T is computable in 4’, then the following are true. 


a. IFAE vertices, and parent(A) € committed, then A € done,. 
b UE active,. 
c. If (B,A) € data,, then either B is dead in T, or else B € visible, (A). 


d. IFAE committed, and B € desc(A) N vertices, then either B is dead in T 
else B € visible, (A). 


Proof: Most of the arguments are straightforward. We argue cases c. and d. 


c. IfB = A, the result is immediate. If B # A, then the only way we get (B,A) € data, is 
by virtue of some perform, y event. That is, there exists T’ such that T’ F- T, such that the 
precondition for some step perform re is satisfied in T’. Thus, B is dead in T’ or B € 
visible,.(A). Therefore, B is dead in T or B € visible, (A). 


d. If B = A, the result is immediate. So assume A # B. Let A € committed,, B € 
desc(A) M vertices,, B live in T, and B € visible,(A). Then there exist C, D € desc(A) N 
anc(B), for which C = parent(D), C € committed, and D € active,. But this contradicts 
part a. 


oO 


The second lemma of this subsection describes properties that hold of a pair of AAT’s, one of 


which is derivable from the other. 
Lemma 11: Let T and T’ be computable in .4', and assume that T F- T’. 


a. vertices, C vertices,,, committed, C committed,,, aborted, C aborted,,, and 
data, a data... 


b. If A € datasteps, then label,(A) = label,,(A). | 

: c. IfA € datasteps, and (B,A) € data. , then.(B,A) € data,. 
d. IFA € vertices, then visible, (A) C visible_(A). 
@. IfA € vertices, and A is live in T’, then A is live in T. 


f. IfA = parent(B) and A € committed, and B € vertices,, , then B € done,. 
Proof: The only case that takes some arguing is f. Let A = parent(B), A € committed, 
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and BE vertices,, . Let T’ be the result of ® applied to T, and let T be the result of ¥. Then 
¥ contains a step @ of the form commit, , and ¥¢ contains a step p of the form create,. 
m cannot precede p, since the precondition for p would. be violated. So p precedes 7. 
Then the precondition for # implies that B € done,. 


oO 


6.3. Computability Guarantees Data-Serializability 

Note that there is no correctness condition for AAT's explicitly mentioning serializability. This is 
because for AAT’s, computability alone is sufficient to guarantee serializability of perm(T), as we 
show in the next theorem. It is convenient to prove the two required properties separately, in two 
lemmas. The second of these two lemmas i is the hardest result in the paper. 

Lemma 12: If T is computable i in A, then perm(T) i is version-compatible. 

Proof: Let A € datasteps, a (X x). - We. must show that u (= label permcr}(A)) = 
result(x,s), where s = <<v- data oar) (8): data >> A is inserted into the tree by a 
perform, , Step w, so let the event sequence producing T be written as Ow. Let T’ 
denote the result of ®, and T” the result of @z. The preconditions for « show that 
label,.,(A) = resuit(x,s’), where s’ = <<visible,.(A,x); data,,>>. By Lemma 11b and the 
definition of perm(T), it follows that label perm(t)“A) = result(x,s’). Thus, it suffices to show 
thats = s'. Since both data, and data ont) are consistent with data, it suffices to show 
that s and s’ contain the same elements. 


First, let B € s. Then (B,A) € data, and so by Lemma 11c, B € datasteps,,.(x). Since A 
is the only element in T” which is not in T’, B € datasteps_.(x). Since A € vertices cmt) = 
visible,(U), and U ¢€. aborted, (by Lemma 10), it follows that A is live in T. Since B € 
visible,(A), Lemma 6 shows that B is live in T. Thus, B is live in T', by Lemma 11e. The 
precondition for » implies that B € visible,,(A,x), soB és’. 


Conversely, suppose B € s’. Then B # AsinceaA € patie Then (B,A) € data,.,, so 
by Lemma 11a, (B,A) € data,. By Lemma 11d, B € visible (A,x). By Lemma 7, it suffices to. 
show that B € vertices 


perm(T) =. visible (U). But BE visible_(A) and A € visible, (U), so 
Lemma 5c suffices. . 
0 
Lemma 13: If T is computable in 4’, then there are no nontrivial cycles in 
sibling-data perm(T)" 


Proof: Assume the contrary: let (g=A, Ayn oA, = g), k > 2, be a minimum length 
cycle such that {A,A, ey) € sibling-data perm(T) on alli, 0 <i <¢ k-1. Let a sequence 9% of 
events be defined so that T is the result of &. We will show that for each i, 0 <i < k-1, 
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there exists a prefix ¥, of such that if T’ is the resutt of ¥, then A€ done, , and A,,, € 
done.. . If we fix i for which ¥, is of maximum length, and let T' be the result of this ¥,, then 
we see that A, |, ¢ done, . But ¥, , , isno longer than ¥,, so Lemma fa implies that A, | , 
€ done., , which is a contradiction. i 


+1 
T? 


So fix i, 0 ¢ i ¢ k-1. Then (A,A,, ,) € sibling-data perm(T)’ Then there exist B € 
desc(A,), C € desc(A, , ,) with (B,C) € data perm(T)’ Since B, C € vertices mr)! it follows 
that (anc(B) U anc(C)) N proper-desc(U) C committed... Now, @:has.a prefix:Wa, where # 
isa perform, , step. Let T' be.the result:of ¥, and T” the result of ¥w. Lemma lic 
implies that (B,C) € data,., , so that B € datasteps,, . Since B is live.in T (using Lemma 
10b), Lemma 11e implies that B is live in T’. Then the precondition for 7 implies that B € 
visible,,(C), which means that A; € anc(B) N proper-desc(ica(B,C)) C committed,. Cc 
done,,. We must show that A, é done, ; ; if we can do this, then taking ¥, = ¥ yields the 
result. Assume A, , € done... Then let D be the lowest ancestor of C for which D € 
done,,; it must be rs case that D € anc(C) NM proper- -desc(ica(B, C)) ¢ committed, soD€ 
committed, . Since C € active, , we know that D # ion ‘Let E be the single ae of 
children(D) in anc(C). Then E ¢ done,, . Then E € vertices, by Lemma 11f. This means C 
€ vertices,. This Is a contradiction. 


Oo 
Theorem 14: If T is computable in 4’, then perm(T) is data-serializable. 
Proof: immediate from Lemma 12, Lemma 13 and Theorem 9. 


a) 


6.4. Simulation 
Next, we show that A’ simulates A. We define a mapping h from A’ to J as follows. if T = 
(S,data,) is an AAT, then h(T) = {S}. If isin IT’, then h(1) is just the event in IT with the same name. 
Lemma 15: his a simulation of A by J’. 
Proof: (a) and (d) of the definition of a possibilities mapping are immediate. Property 
(b) follows immediately from the fact that a’ € domain(s’) (since only additional constraints 
are added for A’); note that Theorem 14 implies that the C-constraint is always satisfied. 
Property (c) is then straightforward. Thus, h is a possibilities mapping. Lemma 3 shows 
that h is a simulation. 


Oo 
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7. An Algebra Based on Version Maps 
In order to complete the proof of Moss’ algorithm, it remains to prove that it achieves the abstract 
effect of locking described by ’. It seems simplest to decompose this task further, first showing that 
a centralized locking algorithm simulates 4’, and then showing that a distributed version of the 
algorithm simulates the centralized version. It turns out to be feasible to decompose the proof of the 
centralized locking algorithm still further. Namely, we first describe a locking-style algorithm which 
retains a large amount of useful information. Then we show that a more optimized locking algorithm 


simulates the algorithm which retains information. 


In this section, we develop the third level of the algorithm, the locking-style algorithm which 


retains information. 


7.1. Version Maps 

As before, we begin by introducing another data structure, called a "version map". This one 
records some locking information for each object. As in Moss’ algorithm, each object has a stack of 
locks, held at any time by a sequence of actions which are successive descendants. The version map 
records, for each object, and each action in -some sequence of successive descendants, the 
sequence of accesses to the object whdse result is available to the action. 


Thus, a version map is a partial mapping V from obj x act to sequences of accesses, such that the 


following properties are satisfied: 
- V(x,U) is defined for all x, 
- each V(x,A) consists of accesses to x, 
- for each x, if V(x,A) and V(x,B) are both defined, then either A € desc(B) or B€ desc(A), 
- if V(x,A) and V(x,B) are both defined and B € desc(A), then V(x,8) is an extension of V(x,A). 


Thus, for each x, V is defined only for transactions which lie on some chain of ancestors, V is not 
necessarily defined for all transactions on the chain, byt only for somesubset of the transactions on 


the chain. 


If A is the least action for which .V(x,A) is defined, then we.call A the principal action for.x in V; in - 
this case, if result(x,V(x,A)) = u, we say that u is-the oringinal. value of x in V. 


7.2. Definition of the Algebra 

We define another algebra, A” = <A”, a”, II", as follows. A” is the set of pairs (T,V), where T is 
an AAT and V is a version map. o” consists of the trivial AAT consisting of a single node U with status 
‘active’, and the version map which has V(x,U) equal to the empty sequence, for all x, and is otherwise 
undefined. ITI” consists of the six events defined below in (a)-(f). 


In all the events to follow, we assume that A € act - {U}. Events (a)-(c) are identical to (a)-(c) of 
A’, Some changes are needed in the perform event, and there are two new events which manipulate 
locks. | | 
(d) perform Aw’ A € accesses, x = object{A), u € values(x) 


(d1) Precondition 
(d11)AE active. 
(d12) {B: V(x,B) is defined} C proper-anc(A). 
(d13) u is the principal value of x in V. 


(d2) Effect 
(d21) status (A) — ‘committed’. 
(422) label_(A) + u. 
(d23) data, data, U {(B,A): B € accesses_(x)} U {(A,A)}. 
(d24) V(x,A) ~~ V(x,B) ° (A), where B is the principal action in V. 


(e) release-lock Ax * E obj 


(e1) Precondition 
(e11) V(x,A) is defined. 
(e12)AE committed,. 


(e2) Effect © 
(e21) V(x,parent(A)) + V(x,A). 
(e@22) V(x,A) + undefined. 


(f) lose-lock ax * € obj 


(f1) Precondition 
(f11) V(x,A) is defined. 
(f12) A is dead in T. 


(f2) Effect 
(f21) V(x,A) + undefined. 


Thus, (d) says that a perform Au event can only be carried out-when the current lock-holders are 
all proper ancestors of A, and. when u is the proper value which should be provided to A. This event 
has the new effect of augmenting the version map ‘by giving a “lock” to A: A gets a sequence of 
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versions which is exactly that held by the previous principal action, concatenated with a new version 
for A. Event (e) allows a lock to be released by a committed action: its effect is to pass the lock up to 
its parent, so that its parent now obtains the sequence of versions previously held by the child. Event 
(f) allows a lock to be released by a dead action. 


7.3. Basic Properties 
In this subsection, we present a simple lemma stating some important invariants preserved in A”. 
Lemma 16: If (T,V) is computable in A", then the following are true. 


a. If V(x,A) is defined, then A € vertices,. 


b. IfB € datasteps. (x) and B is live in T, then there exists A € anc(B) with V(x,A) 
defined and B an element of V(x,A). 


c. If V(x,A) is defined, then each element-of V(x,A) is in visible, (A). 


d. If V(x,A) is defined, then the elements of V(x,A) are.in data, order. 


Proof: Straightforward. We argue b., for example. immediately after an event 
perform, , occurs, we see that V(x,B) is defined, and B € V(x,B). Assume inductively that 
there is some ancestor, C, of B with V(x,C) defined and B € V(x,C). Since B remains live, 
there are no steps of the form fose-lock,, ,. Thus, if V(x,C)} is ever changed, it must be 
because of a release-lock step. There are two possibilities. First, the change could occur 
because of a release- “locke , step. But such a step causes V(x,parent(C)) to take on the 
old value of V(x,C), thereby preserving the needed ‘property. Second, the change could 
occur because V(x,C) gets redefined to be the previous value of V(x,D), where D € 
children(C). But because the successive sequences are extensions of each other, B is an 
element of V(x,D) as well. Thus, the needed property is preserved in this case also. 
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7.4. Simulation 
Define a mapping h’ from A” to A' as follows. h' maps (T,V) to os ae maps events (a)-(d) to 
events of the same name, and events (e) and (f} to A. 

Lemma 17:h' is a simulation of A’ by A”... 

Proof: It suffices to show that h’ is a possibilities mapping. Braperties (a) and (d) are 
easy to check. We consider property (b). Let w’ € I”, where h(x’) = 9 € IT’. Then a’ is 
either of the form create a’ commit,, abort, or perform, |. In the first three cases, the 
property (b) is easy to check. So assume that a’ is of the ‘ela perform, |, .. Assume (T,V) 
is computable in 4” and =’ is defined on (T,V), yielding (Tr, Vv’). We "aoa show that 
perform re (i.e. the event of A’) is defined on T. Let x = object(A). 
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Condition (d11) for A’ follow immediately from the corresponding condition for A”. 
We consider (d12). Let B € datasteps,(x), and assume that B is live in T. Since (T,V) is 
computable in A”, Lemma 16 implies that there is some C € anc(B) for which V(x,C) is 
defined and for which B is an element of V(x,C). Then Lemma 16 implies that B € 
visible,(C). Since z' is defined on (T,V), (d12) for A” implies that C € anc(A). Since A € 
vertices,, Lemma 5 implies that B € visible,(A), as needed. 


Next, we consider (d13). Assume A is live in T, and lets = <<visible,(A,x); data,>>. We 
must show that u = result(x,s). Let B be the principal action for x in V. Condition (d13) for 
A" implies that u = result(x,V(x,B)). It suffices to show that s and V(x,B) are identical. 
Since the elements of V(x,B) are in data, order (by Lemma 16), it suffices to show that s 
and V(x,B) contain the same set of elements. 


First assume C is in-s, i.e. C € visible,(A,x). Since A is live in T, Lemma 6 implies that Cc 
is live in T. Then Lemma 16 implies that there exists D € anc(C) for which V(x,D) is defined 
and C is an element of V(x,D). Since B is the principal element for x in V, the sequence 
extension property. of the definition of version maps implies that C is also an element of 
V(x,B). 


Conversely, assume that C is an element of V(x,B). Lemons 16 implies that C € 
visibie,(B). Condition (d12) for A” implies that 8 € ano(A).. Thus, C € visible,(A). 


It is easy to check that property (c) holds, once we know that the definability conditions 
correspond. Therefore, h’ is a possibilities mapping. 


O 
Theorem 18: h°h’ is a simulation of A by A”. 
Proof: Immediate from Lemmas 15, 17 and 1. 


oO 


8. An Algebra Based on Value Maps 

The previous section described a versian of a locking-algorithm in which considerable information 
(the sequences of versions) were retained. In this section, we describe the fourth level of our 
algorithm. In this level, we optimize the locking algorithm of the previous fevel by condensing some of 
the information retained. Namely, it turns out not to be necessary to retain the complete sequences of 
versions; rather, we can manage by retaining only the latest value of the object for each action. 


Note that we can prove a simulation result after eliminating information precisely because 
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possibilities maps are able to yield sets of states rather'than single states. The sets of states serve to 


replace the eliminated information. 


8.1. Value Maps 
As before, we introduce another data structure. This one records, for each object and action, the 
latest value of the object which is available to the action. 


A value map is a partial mapping V from obj x act to values(obj), such that the fotlowing properties 
are satisfied: _ 


- V(x,U) is defined for all x, 
- each V(x,A) € values(x), and 
- for each x, if V(x,A) and aE) are both defined, then either A € desc(B) or B € desc(A). 


If A is the least action for which V(x,A) is defined, then we call A the principal action 0 for) xin V; in 
this case, if V(x,A) = u, we call u the principal value of x | in V. 


If V is a version map, then let eval(V) be the value map defined on exactly the same domain, so 


that eval(V)(x,A) = result(x,V(x,A)). 

Lemma 19: Let V be a version map, x € obj. Then the principal action for x in V is the 
same as the principal action for x in eval(V), and the principal value of x in V is the same as 
the principal value of x in eval(V). 

Proof: Straightforward. 


o 


8.2. Definition of the Algebra 

We define another algebra, A”’ = <A’, o’”, IT’’>, as follows. A’” is the set of pairs (T,V), where T 
is an AAT and V is a value map. o’” consists of the trivial AAT consisting of a single node U with 
status ‘active’, and the value map which has V(x,U) equal to init(x), for all x, and is otherwise 
undefined. IT’” consists of six events (a)-(f). 


In ail the events, we assume that A € act - {U}. Events (a)-(c), (e) and (f) are identical to the 
corresponding events of A”. Event (d) is also identical, except for the change indicated below. 


(d2) Effect 
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(d24) V(x,A) + update(A)(u). 


8.3. Simulation 
Define a mapping h” from A'" to A” as follows. Leth’(T,V) = {(T,W): eval(W) = V}. h’’ maps all 
events to events of the same name. 
Lemma 20: h” is a simulation of A” by.A’’. 7 
Proof: It suffices to show that h” is a possibilities mapping. Properties (a) and (d) are 
easy to check. Let #’ € Il’”. If 2’ is any event except for a perform event, then properties 
(b) and (c) are immediate. 


Assume 7’ is pe tform, ,. Assume (T,V) is computable in A”, (T,W) € W'"(T,V), (TW) 
is computable in A”, wis ‘Bolined for (T,V) and (T',V’) = a'(T,V). Lemma 19 implies that 
property (b) holds, i.e. that v = perform ro is defined on (T,W). It follows from the effects 
of the two events that (T,W) = (T',W') for some version map W’. In order to show. 
property (c), it suffices to show that eval(W’) = V'. Since eval(W) = V, we only need to 
consider the values which change because of the present event, i.e. we need to show that 
result(x,W'(x,A)) = V'(x,A). But result(x,W'(x,A)) = result(x, W(x, B) ° (A)), where 8 is the 
principal action for x in W, = update(A)(result(x, W(x, B))), = update(A)(V(x, B)) since 
eval(W) = V. But B is the principal action for x in V, by Lemma 19, so u = V(x,8). 
Therefore, the latest term in the extended equality is owt to update(A)(u), which is equal 
to V'(x,A) by definition. 


0 
Theorem 21: heh’ °h” isa simulation of A by A”. 
Proof: Immediate from Lemmas 18, 20 and 1. 
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9. The Algorithm 

The only remaining task is to describe a distributed locking algorithm, and show that it simulates 
the previous algorithm. in this section, a slightly simplified version (which doesn’t distinguish read 
and write steps) of Moss’ algorithm is described using a distributed algebra. 


9.1. Notation and Definitions 
Let [k] denote {1,...,k}. 


We fix a particular k, as the number of nodes. For convenience, we designate the nodes by 
identifiers in [k]. 
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Let home: (act - {U}) U obj — [k], with home(A) = home(object(A)) for all A € accesses. Thus, 
home partitions the actions and objects among the nodes. Let origin: (act - {U}) — [k] be defined so 
that origin(A) = home(A) if parent(A) = U, and = home(parent(A)) otherwise. 


In order to describe the local state of each node, it is convenient to define a generalization of 
action trees. Thus, we define an action summary T to consist of components yertices,. active, 
committed,, and aborted, where vertices, is any finite subset of act (not necessarily closed under 
the parent operation), and the remaining three components form a partition of vertices... The notation 
done, and status, is.also extended in the obvious way. If T and T’ are action summaries or action 
trees, w e say that T < T’ provided that vertices, Cc vertices, , and correspondingly for committed, 
and aborted,. We also define T” = T U T’ so that vertices... = vertices, U vertices,, , and similarly 
for committed,,, and aborted,... An action summary will be used to describe partial knowledge of the 
latest status of the transactions. 


9.2. Definition of the Algebra 

We describe the algorithm as the algebra, ® = <B, 7, P>, which is distributed over | = [k] U 
{’buffer'}. The elements of [k] correspond to k nodes of a distributed system, and the buffer 
corresponds to the entire message system. The components are defined as follows. Let B be the 
Cartesian product of state sets B., where i € I. 


If i € [k] (that is, if i corresponds to a node), then B. consists of the values of two variables, i.T 
which contains an action summary, and i.V, which contains a value map. The action summary 
recorded in i.T represents node i's knowledge of the latest status of various transactions. The value 
map ini.V contains the latest value map information for all objects whoas home is i. 


Ifi = ‘buffer’, then B, consists of the values of variables M, j € [k], each of which contains an 
action summary. The action summary in M, represents all the infgrmation which has been sent to 
node j during the entire computation. 


The initial state + is a vector of initial states for all the components. If i € [k], then +, has i.T 
"initialized as the trivial action summary, having no vertices, and i.V initialized so that i.V(x,U) = init(x) 
for all x with home(x) = i, and otherwise undefined. If i = ‘buffer’, then 7, has each M, equal to the 
trivial action summary. 


The algorithm has eight kinds of events. Six correspond closely to the six events of A’” - four 
record the creation, commit and abort of actions and the performance of data accesses and two 
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manipulate locks. The other two correspond to the sending and receiving of messages. The events 
are listed below. As usual, we present them by listing a precondition and the effect on the state. In 
addition, we define d(7), the doer of each step. 


In all cases, we assume that A € act - {U}; 


(a) create, ,, origin(A) = i 


(a1) Precondition 
(a11) A € ivertic 
(a12) If parent(A) # U, then parent{A) € i.vertices, - icommittad,. 


(a2) Effect 
(a21) i.vertices, + i.vertices, U {A}. 
(a22) iatatus,(A) ~ ‘active’. 

(a3) Doer: i 

(b) commit; ,, A € accesses, home(A) = i 

(b1) Precondition 
(b11) A € iactive,. 
(b12) children(A) N i. vertices, C i. done,. 


(b2) Effect 
(b21) i.status_(A) + committed’. 


(b3) Doer: i 
(c) abort, ,,A € accesses, home(A) = i 


(c1) Precondition 
(C11I)AE i.active,. 


(c2) Effect 
{c21) i.status(A) + ‘aborted’. 


(c3) Doer: i 


(d) perform, a, A € accesses, x = object(A), u € oe 
home{A) = i, ‘home(x) ai 


(d1) Precondition 
(d11) A € iactive,. 
(d12) {B: i.V(x,B)} is defined} C proper-anc(A). 
(d1 3) u is the principal value of xin iV. 


(d2) Effect 
(d21) i Status,(A) + ‘committed’. 
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(d22) i.V(x,A) +— update(A)(u). 
(d3) Doer: i 


(e) release-lock. 


iA,x! home(x) = i 


(e1) Precondition 
(e11) i.V(x,A) is defined. 
(et2)A€E iscommitted,. 

(e2). Effect 
(@21) i.V(x,parent(A)) — i.V(x,A). 
(€22) i.V(x,A) — undefined. 

(e3) Doer: i | 

(f) lose-lock, Axx’ home(x) = i 

(f1) Precondition 
(f11) i.V(x,A) is defined. 
(f12) anc(A) N aborted, # 2. 


(f2) Effect 
(f21) i.V(x,A)-— undefined. 


(f3) Doer: i 
(g) send, | ,,, T’ an action summary 


(g1) Precondition 
(911) T’ <i.T. 


(g2) Effect - 
(921) M,—-M UT". 


(g3) Doer: i 
(h) receive, 7 7 an action summary 


(h1) Precondition 
(n11)T <M. 


(h2) Effect 
(h21iT-i. TUTE 


(h3) Doer: buffer 


Thus, (a) - (f) correspond closely to (a) - (f) of A"’. Events (g) and (h) are the new communication 
events. These conditions say that any communication is allowed at any time, which sends any of i’s 


action summary information from i to j. 
Lemma 22: % is an algebra, which.is distributed over | using d. 


Proof: Straightforward. 
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9.3. Simulation 

Now define an interpretation h’”’ from % to A’” by mapping the first six types of events to the 
events of the same name, suppressing the index in [k], and mapping the ather two types of events to 
A. | 


If b € B, then we add "[b]" to the end of a variable name to denote the value of that variable in 
state b. 


For each i € |, we define a mapping h. from B to HA") as follows. If! € [k], then (T,V) € h,(b) 
exactly if (T,V) is computable in 4’” and the following are true: 


- vertices, M {A: origin(A) = i} C i.vertices_[b}  vertices,. 

- committed, M {A: home(A) = i} € i.committed,[b] C committed 

- aborted, 9 {A: home(A) =i}C | aborted, {b] C aborted... 

- i.V[b] is the restriction of V to {(x,A): home(x) = i}. 

lfi = ‘buffer’, then (T,V) € h,(b) exactly if (T,V) is computable in A” and M{{b] <T for each j € [k]. 
If (T,V) € h,(b), then we also say that (T,V) is i-consistent with b. 


We now proceed to prove lemmas corresponding to the properties required in the definition of a 
local mapping. The proofs are long, but are very straightforward case analyses. 
‘ Lemma 23: For alli € |, o'” € h(*). 
Proof: Immediate from the definitions. 
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Lemma 24: Assume i € I. Assume a’ € P, d(w) = i, w = h'"(7') € IT'’, a and a’ are 
computable in A’” and %, respectively, a € h(a’) and a’ € domain(s’). Then a € 
domain(7). . 


Proof: Let a be (T,V). 


First, assume that 7’ is create, a: 80 that wis create,. Then origin(A) = i. Since a’ € 
domain(#’), A € i.vertices,[a’]. Since (T.V) is i-consistent with a’, A € vertices,, thus 
showing (a11). If parent(A) = U, then the fact that (T,V) is computable and Lemma 16 
imply that parent(A) € active,, thus showing (a12).for this case, On the other hand, if 
parent(A) # U, then the precondition for #’ shows. that parent(A) € i.vertices,[a’] - 
i.committed,[a’]. The fact that (T,V) is i-consistent with.a’ implies that parent(A) € 
vertices, : committed,. Thus, (a12) holds. 


Second, consider 7’ = commit, as 80 that w is commit,. The precondition for a’ 
shows that A € i.active,[a’]. The fact that (T,V) is i-consistent.with a’ implies that A € 
active,, thus showing (b11). The precondition for w’. shows that chikdren(A) M 
vertices [a'] C i.done,{a’]. The fact that (T,V). is i-consistent with a’ implies that 
children(A) N vertices, © done,, thus showing (612). 


Third, assume m' = abort, ,, so that is abort,. This case is similar to the first half 
of the previous case. 


Fourth, assume w#’ = perform, , y» so that w is. perform, |. Then home(A) = i. 
Assume object(A) = x, so that home(x) = i. (d11) is argued as in the preceding two cases. 
We show (d12). Choose B so that V(x,B) is defined. Since (T,V) is j-consistent with a’ and 
home(x) = i, i.V(x,B)[a’] is also defined. The precondition for #’ implies that B € proper- 
anc(A), as needed. Next, we show (d13). The precondition for #’ implies that u is the 
principal value for x in i.V[a’]. Since (T,V) is i-consistent with a’, u is also the principal 
value for x in V, as needed. 


If 2’ is one of (e) or (f), then #' involves some x with home(x) = i. Assume that w 
- involves A. The precondition for w’ implies that i.V(x,A)[a’] is defined. Since (T,V) is i- 
consistent with a’, it follows that V(x,A) is defined, thus shawing bath (e11).and (f11). 


lf w' is a release-lock, , | step, then the precondition for #’ implies that A € 
iicommitted,[a']}. Since (T,V) is i-consistent with a’, A € committed, thus showing (e12). 


Finally, if #’ is a lose-lack, , , step, the precondition for #' implies that anc(A) M 
iaborted,[a'] # 2. Since (T,V) is i-consigtent with a’,. it follows that A is dead. in T, thus 
showing (f12). os 


oO . 
Lemma 25: Assume i, j € |. Assume @’ € P, d(#’) - i, w = h'"(w’) € OP’, aand a’ are 
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computable in A’” and B, respectively, a € h(a’) M h(a’), and a’ € domain(z’). If b’ = 
m’(a’), then w(a) € hb’). . 
Proof: Leta = (T,V) and #(a) = (T’,V’). Lemma 24 implies that a € domain(7). 


If | + i, then it is easy to see that all the containments are preserved, since the sets of 
actions on the right sides are only increased, ‘while the sets on the left sides are 
unchanged. The property involving V is also easity seen to be pfeserved. So assume j=i. 
We consider the six kinds of events in turn. 


First, assume 7’ is of the form create. iA’ commit. iA or abort; , . Then V’ = V, and T' 

is exactly like T except that A is added to vertices,; conimitted, or aborted, as appropriate. 

Also, b’ is just like a’ except that A is added to i.vertices,, \committed,, or i.aborted,, as 

appropriate. Since (T,V) is i-consistent with a’, it is easy to see that all the containments 
change in such a way as to insure that (T’,V’) is i-consistent with b’. 


If a’ is of the form perform, Aww’ then home{A) = i. Let x = object(A). Then home(x) 
= i. T’ is just like T except that A is added to committed, and is given label u, and data, i is 
augmented with all pairs in {(B,A): B € datasteps,(x)} U (A,A). V’ ig just like V except that 
V'(x,A) is defined to be update(A)(u). b’ is just like a’ except that A is added to 
i.committed,, and i.V(x,A) is defined to be updatefA)(ty). ‘Since (T,V) Is i-consistent with a’, 
it Is easy to see that (T’,V’) is i-consistent with b': most of the properties are immediate. 
We just check the fast property; the only change involves A. We have already noted that 
V(x, A){(b’] = update{A)(u) = V'(x,A). This is as needed. 


If wr’ is of one of the forms (e) or (f), then T’ = T and i.T[b’] = i.T[a']. Thus, itis clear . 
that the containments are all preserved. It is also easy to check that the final property is 
preserved. 
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Lemma 26: Assume i, | € 1. Assume w’ € P, d(#') = i, h(w’) = A, a and a’ are 
computable in A’” and 8, neapeeiney, a€ h(a’) nN Ag ), and a’ € domain(x’). If b’ = 
a'(a'), then'a € h(b’). 
Proof: Leta = (T,V). 


First, assume that a’ is send, pt ifj* ‘buffer’, then b' = a’, and the conclusion is 
‘immediate. So assume that j = ‘buffer’. Since’ (T,V) is j- conétetént with a’, each action 
summary M[a’) < T. The precondition for #' implies that T’ < i.T[a’]. Since (T,V) is 
i-consistent with a’, it folows that i.T[a’] < T, and hence T’ < T. Now, each Mi[b’] < M[a’] 
_ UT’. Therefore, each M[b'] < T, as needed. 
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Next, assume that a’ is of the form receive, +, so that i = ‘buffer’. The only nontrivial 
case isj = i’. We must show that j.T[b’] < T. But j.T[b’] = j.T[a’] U T’. The j-consistency 
of (T,V) with a’ shows that j.T[a’] < T. The precondition for #’ shows that T’ < Mia’). 
Since (T,V) is i-consistent with a’, Mia’) < T. Thus, T’ < T. Therefore, j.T[b'] < T, as 
needed. 
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Lemma 27: h’" and h,,i € |, form a local mapping from $ to A”. 
Proof: Immediate from Lemmas 23, 24, 25, and 26. 


QO 


Now extend h’” to B U P, by defining h'"(b) = n, € jh,(b). 
Lemma 28: h’” is a simulation of A” by B. 
Proof: Immediate by Lemmas 27 and 4. 


Oo 


The main correctness theorem now follows. . 
Theorem 29: The mapping h © h' ¢ h” ¢ h’” is a simulation of A by SB. 
Proof: immediate from Lemma 28, Lemma 1 and Theorem 21. 


Oo 


10. Conclusions 

In this paper, we have presented a detailed proof of a variant of Moss’ concurrency control 
algorithm for nested transactions. Along the way, we have developed a substantial amount of basic 
theory for nested transactions. The basic framework, especially. the definitions and results involving 
visibility, should be of further use. 


There is much more to be done, however. The framework presented in this paper is not powerful 

, enough to describe all the correctness conditions one might want for nested transactions. In 

particular, we do not model the correspondence between what the system does and what it is 

requested to do by the transactions. This deficiency is at least partly due to the fact that we have 

chosen not to model the transactions explicitly. In order to describe everything we might want, we will 
probably have to incorporate some type of model for the transactions into the framework. 


We have only proved correctness of one variant of Moss’ algorithm. There are many other related 
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algorithms for which similar proofs ought to be developed. Certainly, Moss’ complete algorithm (with 
a distinction between read and write operations) should be proved correct; we do not expect this 
extension to be very difficult. The orphan algorithm mentioned in the introduction should be verified; 
obtaining an understandable proof for this algorithm seems like a much harder task. Also, other 
implementations for nested transactions, such as Reed’s, should be proved correct. In would be 
interesting to see to what extent the theory developed for one of these algorithms is usable for the 


others. 


The proof presented here has a very interesting structure. It describes algorithms as algebras, 
and uses a series of five levels of abstraction. Correctness is shown using four simulation mappings. 
The interesting and nontrivial concurrency control arguments are made in proving the correctness of 
the first two simulations. The correctness of the first simulation expresses the fact that certain 
conditions imply serializability. The correctness of the second simulation expresses the fact that a 
form of locking satisfies these conditions. Successive levels refine the algorithm, providing more 
implementation detail, condensing the information that is kept, and distributing the processing. 
Proofs at these lower levels are straightforward checks of the local mapping properties. 


There is more to be done in exploring the usefulness of this proof structure for other distributed 
algorithms. 
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